On 18 December 2015, the Permanent Representatives Committee (Coreper) endorsed an informal deal struck with the European Parliament on the first rules to strengthen the security of network and information systems across the EU. 

The network and information security (NIS) directive will increase cooperation between member states and lay down security obligations for operators of essential services and digital service providers. Essential services operators are active in critical sectors such as energy, transport, health and finance. Digital services cover online marketplaces, search engines and cloud services. 

The requirements will be stronger for essential operators than for digital service providers. This reflects the degree of risk that any disruption to their services may pose to society and the economy. 

Each EU country will also be required to designate one or more national authorities and set out a strategy to deal with cyber threats. 

What next? 

Once the agreed text has undergone technical finalisation, it needs to be formally approved first by the Council and then by the Parliament. The procedure is expected to be concluded in spring 2016.  

After the directive has entered into force, member states will have 21 months to adopt the necessary national provisions. Following this period, they will have another 6 months to identify the essential services operators established in their territory which are to be covered by the directive.